The framework we propose for developing norms evaluates various actors in cyberspace, the objectives those actors are seeking to advance, the corresponding actions that could be taken, and, finally, the potential impacts that can result. Governments, often among the most advanced actors in cyberspace, can take a multitude of actions in cyberspace, both offensively and defensively, to support acceptable objectives. These actions and their resulting impacts, both intended and unintended, can precisely support defined objectives but can also advance one generally acceptable objective while simultaneously challenging another. In many cases, societal debate is not about objectives, such as degrading or delaying the spread of nuclear weapons or preventing terrorism, but whether the actions that can be taken—and the impact of those actions—are acceptable. With this framework in mind, when developing cybersecurity norms for governments, we can focus on discussing acceptable and unacceptable objectives, which actions may be taken by governments, in pursuit of those objectives, what the possible impacts are, and whether they are acceptable for a civilized, connected society.

Cybersecurity norms should be designed not only to increase the security of cyberspace but also to preserve the utility of a globally connected society. As such, norms should define acceptable and unacceptable state behaviors, with the aim of reducing risks, fostering greater predictability, and limiting the potential for the most problematic impacts, including (and in particular) impacts which could result from government activity below the threshold of war.

Cybersecurity norms that limit potential conflict in cyberspace can bring predictability, stability, and security to the international environment. With a wide acceptance of these norms, governments investing in offensive cyber capabilities would have a responsibility to act and work within the international system to guide their use, and this would ultimately lead to a reduction in the likelihood of conflict. In many cases the norms are either rooted in principles not dissimilar from those governing the Law of Armed Conflict, or derived from international best practices currently employed globally by the Information Communication and Technology sector.

The following norms, and the framework, used to build them, enable states to make choices that appropriately balance their roles as users, protectors, and exploiters of cyberspace.

1. States should not target ICT companies to insert vulnerabilities (backdoors) or take actions that would otherwise undermine public trust in products and services.

2. States should have a clear principle-based policy for handling product and service vulnerabilities that reflects a strong mandate to report them to vendors rather than to stockpile, buy, sell, or exploit them.

3. States should exercise restraint in developing cyber weapons and should ensure that any which are developed are limited, precise, and not reusable.

4. States should commit to nonproliferation activities related to cyber weapons.

5. States should limit their engagement in cyber offensives operations to avoid creating a mass event.

6. States should assist private sector efforts to detect, contain, respond to, and recover from events in cyberspace.